Web Application Vulnerabilities



Similar documents
Dissecting and digging application source code for vulnerabilities

Introduction to Web Application Security. Microsoft CSO Roundtable Houston, TX. September 13 th, 2006

What is Web Security? Motivation

Early Vulnerability Detection for Supporting Secure Programming

An Introduction to Application Security in J2EE Environments

Web Application Report

FINAL DoIT v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES

Secure Web Application Coding Team Introductory Meeting December 1, :00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda

Application Security: What Does it Take to Build and Test a Trusted App? John Dickson, CISSP Denim Group

How to Build a Trusted Application. John Dickson, CISSP

OWASP and OWASP Top 10 (2007 Update) OWASP. The OWASP Foundation. Dave Wichers. The OWASP Foundation. OWASP Conferences Chair

Creating Stronger, Safer, Web Facing Code. JPL IT Security Mary Rivera June 17, 2011

Top Ten Web Application Vulnerabilities in J2EE. Vincent Partington and Eelco Klaver Xebia

Passing PCI Compliance How to Address the Application Security Mandates

Out of the Fire - Adding Layers of Protection When Deploying Oracle EBS to the Internet

Where every interaction matters.

3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management

Thick Client Application Security

Adobe Systems Incorporated

Java Web Application Security

1. Introduction. 2. Web Application. 3. Components. 4. Common Vulnerabilities. 5. Improving security in Web applications

The Top Web Application Attacks: Are you vulnerable?

Attack Vector Detail Report Atlassian

Web App Security Audit Services

Web Application Hacking (Penetration Testing) 5-day Hands-On Course

Don t Get Burned! Are you Leaving your Critical Applications Defenseless?

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

Application Security Testing How to find software vulnerabilities before you ship or procure code

Testing the OWASP Top 10 Security Issues

Web Application Penetration Testing

WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY

Web Engineering Web Application Security Issues

Application Security Testing

Top 10 Web Application Security Vulnerabilities - with focus on PHP

Essential IT Security Testing

Barracuda Web Site Firewall Ensures PCI DSS Compliance

University of Wisconsin Platteville SE411. Senior Seminar. Web System Attacks. Maxwell Friederichs. April 18, 2013

Application Security Testing. Generic Test Strategy

Last update: February 23, 2004

Strategic Information Security. Attacking and Defending Web Services

KEN VAN WYK. Fundamentals of Secure Coding and how to break Software MARCH 19-23, 2007 RESIDENZA DI RIPETTA - VIA DI RIPETTA, 231 ROME (ITALY)

How To Write A Web Application Vulnerability Scanner And Security Auditor

Columbia University Web Security Standards and Practices. Objective and Scope

elearning for Secure Application Development

ArcGIS Server Security Threats & Best Practices David Cordes Michael Young

Magento Security and Vulnerabilities. Roman Stepanov

Securing Your Web Application against security vulnerabilities. Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group

STATE OF WASHINGTON DEPARTMENT OF SOCIAL AND HEALTH SERVICES P.O. Box 45810, Olympia, Washington October 21, 2013

Web application security

Web Application Threats and Vulnerabilities Web Server Hacking and Web Application Vulnerability

Securing Enterprise Web Applications at the Source: An Application Security Perspective

Web Application Security. Vulnerabilities, Weakness and Countermeasures. Massimo Cotelli CISSP. Secure

(WAPT) Web Application Penetration Testing

White Paper. Guide to PCI Application Security Compliance for Merchants and Service Providers

Integrated Network Vulnerability Scanning & Penetration Testing SAINTcorporation.com

FINAL DoIT v.8 APPLICATION SECURITY PROCEDURE

Web Vulnerability Detection and Security Mechanism

Threat Modeling/ Security Testing. Tarun Banga, Adobe 1. Agenda

ASP.NET MVC Secure Coding 4-Day hands on Course. Course Syllabus

Security Code Review- Identifying Web Vulnerabilities

Application Code Development Standards

Secure Web Applications. The front line defense

Still Aren't Doing. Frank Kim

Advanced Web Technology 10) XSS, CSRF and SQL Injection 2

VIDEO intypedia007en LESSON 7: WEB APPLICATION SECURITY - INTRODUCTION TO SQL INJECTION TECHNIQUES. AUTHOR: Chema Alonso

Web Application Security

AppDefend Application Firewall Overview

Integrating Security Testing into Quality Control

Web Application Firewall on SonicWALL SSL VPN

Security in Network-Based Applications. ITIS 4166/5166 Network Based Application Development. Network Security. Agenda. References

Intrusion detection for web applications

DFW INTERNATIONAL AIRPORT STANDARD OPERATING PROCEDURE (SOP)

Web application vulnerability statistics for

What Every (Software) Engineer Needs To Know About Security. -- and -- Where To Learn It

OWASP Top Ten Tools and Tactics

Implementation of Web Application Firewall

Web Application Security

Six Essential Elements of Web Application Security. Cost Effective Strategies for Defending Your Business

Application security testing: Protecting your application and data

Using Free Tools To Test Web Application Security

SQuAD: Application Security Testing

OWASP TOP 10 ILIA

Web Application Security

Detecting Web Application Vulnerabilities Using Open Source Means. OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008

Comparing the Effectiveness of Penetration Testing and Static Code Analysis

Web Application Security Considerations

Web Application Security

How To Understand And Understand The Security Of A Web Browser (For Web Users)

IJMIE Volume 2, Issue 9 ISSN:

How To Ensure That Your Computer System Is Safe

Transcription:

Securing Web Applications with Information Flow Tracking with Michael Martin, Benjamin Livshits, John Whaley, Michael Carbin, Dzin Avots, Chris Unkel Web Application Vulnerabilities 50% databases had a security breach [Computer crime & security survey, 2002] 92% Web applications are vulnerable [Application Defense Center, 2004] 48% of all vulnerabilities Q3-Q4, 2004 [Symantec May, 2005] 1

Top Ten Security Flaws in Web Applications [OWASP] 1. Unvalidated Input 2. Broken Access Control 3. Broken Authentication and Session Management 4. Cross Site Scripting (XSS) Flaws 5. Buffer Overflows 6. Injection Flaws 7. Improper Error Handling 8. Insecure Storage 9. Denial of Service 10. Insecure Configuration Management Web Applications Hacker Browser Web App Database Evil Input Confidential information leak 2

SQL Injection Errors Hacker Browser Web App Database Give me Bob s credit card # Delete all records Happy-go-lucky SQL Query User supplies: name, password Java program: String query = SELECT UserID, Creditcard FROM CCRec WHERE Name = + name + AND PW = + password 3

Fun with SQL : the rest are comments in Oracle SQL SELECT UserID, CreditCard FROM CCRec WHERE: Name = bob AND PW = foo Name = bob AND PW = x Name = bob or 1=1 AND PW = x Name = bob; DROP CCRec AND PW = x Vulnerabilities in Web Applications Inject Parameters Hidden fields Headers Cookie poisoning X Exploit SQL injection Cross-site scripting HTTP splitting Path traversal 4

Key: Information Flow A Simple SQL Injection Pattern o = req.getparameter ( ); stmt.executequery ( o ); 5

In Practice ParameterParser.java:586 String session.parameterparser.getrawparameter(string name) public String getrawparameter(string name) throws ParameterNotFoundException { String[] values = request.getparametervalues(name); if (values == null) { throw new ParameterNotFoundException(name + " not found"); } else if (values[0].length() == 0) { throw new ParameterNotFoundException(name + " was empty"); } return (values[0]); } ParameterParser.java:570 String session.parameterparser.getrawparameter(string name, String def) public String getrawparameter(string name, String def) { try { return getrawparameter(name); } catch (Exception e) { return def; } } In Practice (II) ChallengeScreen.java:194 Element lessons.challengescreen.dostage2(websession s) String user = s.getparser().getrawparameter( USER, "" ); StringBuffer tmp = new StringBuffer(); tmp.append("select cc_type, cc_number from user_data WHERE userid = ' ); tmp.append(user); tmp.append("' ); query = tmp.tostring(); Vector v = new Vector(); try { ResultSet results = statement3.executequery( query );... 6

PQL: Program Query Language o = req.getparameter ( ); stmt.executequery ( o ); Query on the dynamic behavior based on object entities Abstracting away information flow Dynamic vs. Static Pattern Dynamically: o = req.getparameter ( ); stmt.executequery (o); Statically: p 1 = req.getparameter ( ); stmt.executequery (p 2 ); p 1 and p 2 point to same object? Pointer alias analysis 7

Flow-Insensitive Pointer Analysis Objects allocated by same line of code are given the same name. Datalog o 1 : p = new Object(); pts(p,o 1 ) o 2 : q = new Object(); pts(q,o 2 ) p.f = q; hpts(o 1,f,o 2 ) r = p.f; pts(r,o 2 ) p o 1 q o 2 f r Assignments: Inference Rule in Datalog pts (v 1, h 1 ) :- v 1 = v 2 & pts (v 2, h 1 ). v 1 = v 2 ; v 2 h 1 v 1 8

Inference Rule in Datalog Stores: hpts(h 1, f, h 2 ) :- v 1.f = v 2 & pts(v 1, h 1 ) & pts(v 2, h 2 ). v 1.f = v 2 ; v 1 h 1 v 2 h 2 f Inference Rule in Datalog Loads: pts(v 2, h 2 ) :- v 2 = v 1.f & pts(v 1, h 1 ) & hpts(h 1, f, h 2 ). v 2 = v 1.f; v 1 h 1 v 2 h 2 f 9

Pointer Analysis Rules pts(v, h) :- h: T v = new T() ; pts(v 1, h 1 ) :- v 1 = v 2 & pts(v 2, h 1 ). hpts(h 1, f, h 2 ) pts(v 2, h 2 ) :- v 1.f = v 2 & pts(v 1, h 1 ) & pts(v 2, h 2 ). :- v 2 = v 1.f & pts(v 1, h 1 ) & hpts(h 1, f, h 2 ). Pointer Alias Analysis Specified by a few Datalog rules Creation sites Assignments Stores Loads Apply rules until they converge 10

Context-Sensitive Pointer Analysis L1: a=malloc(); a=id(a); id(x) id(x) id(x) {return x;} L2: b=malloc( ); b=id(b); context-sensitive a L1 x context-insensitive b L2 x Even without recursion, # of Contexts is exponential! 11

Top 20 Sourceforge Java Apps 10 16 10 12 10 8 10 4 10 0 Costs of Context Sensitivity Typical large program has ~10 14 paths If you need 1 byte to represent a context: 100 terabytes of storage > 12 times size of Library of Congress Memory: $1.2 million Hard drive: $47,500 Time to read sequentially: 20 days 12

Cloning-Based Algorithm Whaley&Lam, PLDI 2004 (best paper award) Create a clone for every context Apply context-insensitive algorithm to cloned call graph Lots of redundancy in result Exploit redundancy by clever use of BDDs (binary decision diagrams) Automatic Analysis Generation PQL Ptr analysis in 10 lines Datalog bddbddb (BDD-based deductive database) with Active Machine Learning 1000s of lines BDD operations 1 year tuning BDD: 10,000s-lines library 13

Benchmarks 9 large, widely used applications Blogging/bulletin board applications Used at a variety of sites Open-source Java J2EE apps Available from SourceForge.net Vulnerabilities Found SQL injection HTTP splitting Cross-site scripting Path traversal Total Header 0 6 5 0 11 Parameter 6 5 0 2 13 Cookie 1 0 0 0 1 Non-Web 2 0 0 3 5 Total 9 11 5 5 30 14

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information